Path Traversal when upload file in metersphere/metersphere


Reported on

Dec 25th 2022

metersphere allow users to upload file, but not check the file name.

Poc can be found in the link


file overwriiten , remoe code injection and so on.


We are processing your report and will contact the metersphere team within 24 hours. 15 days ago
We have contacted a member of the metersphere team and are waiting to hear back 14 days ago
metersphere/metersphere maintainer gave praise 14 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
12 days ago


Hi, could you please vaild this report and assigne a cve once we fix it?

10 days ago


@admin will my comment be sent to maintainer by email?

metersphere/metersphere maintainer
7 days ago


The vulnerability has been fixed and CVE-2022-46178 has been issued.

7 days ago


that's good, and could you please valiad this report without assign cve

metersphere/metersphere maintainer validated this vulnerability 7 days ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
metersphere/metersphere maintainer marked this as fixed in v2.5.1 with commit 3a890e 7 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
metersphere/metersphere maintainer published this vulnerability 7 days ago
to join this conversation